网络规划与设计补充内容ipv6-nat-dhcp-acl.ppt

下一代的网际协议IPv6,IPv6新特性：1、更大的地址空间2、简化了首部格式3、灵活的协议4、允许对资源预分配5、允许协议继续演变,（1）版本(version)（2）通信量类(traffic class)（3）流标号(flow label)（4）有效载荷长度(payload length)（5）下一个首部(next header)（6）跳数限制(hop limit)（7）源地址（8）目的地址,六种扩展首部：逐跳选项 路由选择 分片 鉴别 封装安全有效载荷 目的站选项,扩展首部,IPv6保留了IPv4分片的大部分特征，其分片扩展首部共有以下几个字段：（1）下一个首部(8 bit)（2）保留(10 bit)（3）片偏移(13 bit)（4）M(1 bit)（5）标识符(32 bit),私有地址,1.静态NAT内部主机地址被一对一映射到外部主机地址,Pc3:10.1.1.3-Pc4:10.1.1.4-,200.200.200.2?,X,NAT分类,NAT分类,2.动态NAT内部主机使用地址池中的公网地址来映射,3.端口复用(PAT)端口复用的特征是内部多个私有地址通过不同的端口被映射到一个公网地址，Overloading,or Port 理想状况下，一个单一的IP地址可以使用的端口数为4000个。,NAT分类,配置NAT,静态NAT配置实例,静态NAT配置实例,r1(config)#ip natr1(config)#ip natr1(config)#interface f0/0r1(config-if)#ip nat inside r1(config)#int s0/0r1(config-if)#ip nat outside,静态NAT配置实例,r1#debug ip nat IP NAT debugging is on00:11:09:NAT:s=10.1.1.2-200.200.200.3,d=2.2.2.2 4093600:11:09:NAT*:s=2.2.2.2,d=200.200.200.3-10.1.1.2 40936r1#sh ip nat translations Pro Inside global Inside local Outside local Outside global-200.200.200.3-,动态NAT配置实例,动态NAT配置实例,r1(config)#ip nat pool NAT netmask r1(config)#ip nat inside source list 1 pool NATr1(config)#interface f0/0r1(config-if)#ip nat inside r1(config)#int s0/0r1(config-if)#ip nat outside,动态NAT配置实例,r1#debug ip nat 00:45:40:NAT:s=10.1.1.2-200.200.200.3,d=2.2.2.2 3893000:45:40:NAT*:s=2.2.2.2,d=200.200.200.3-10.1.1.2 3893000:46:03:NAT:s=10.1.1.3-200.200.200.4,d=2.2.2.2 3896100:46:03:NAT*:s=2.2.2.2,d=200.200.200.4-10.1.1.3 3896100:46:27:NAT:s=10.1.1.4-200.200.200.5,d=2.2.2.2 38993,动态NAT配置实例,r1#sh ip nat translations Pro Inside global Inside local Outside local Outside global-200.200.200.3 10.1.1.2-200.200.200.4 10.1.1.3-200.200.200.5 10.1.1.4-r1#clear ip nat translation*r1#sh ip nat translations,PAT配置实例,PAT配置实例,r1(config)#ip nat pool NAT netmask r1(config)#ip nat inside source list 1 pool NAT overloadr1(config)#interface f0/0r1(config-if)#ip nat inside r1(config)#int s0/0r1(config-if)#ip nat outside r1(config)#ip route 0.0.0.0,PAT配置实例(PAT Example),r1#sh ip nat translations Pro Inside global Inside local Outside local Outside globalicmp 200.200.200.3:1792 10.1.1.4:1792 2.2.2.2:1792 2.2.2.2:1792icmp 200.200.200.3:1024 10.1.1.2:1792 2.2.2.2:1792 2.2.2.2:1024,NAT排错,路由器DHCP服务,ip dhcp pool global/global是pool name/动态分配的地址段ip dhcp/不用于分配的地址ip dhcpdomain-name/为客户机配置域后缀/配置dns服务器/配置wins服务器,lease 3/地址租用期限ip dhcp pool vlan1network 10.1.1.0 255.255.255.0/本pool是global子pooldefault-router 10.1.1.100 10.1.1.101/配置默认网关 no service dhcp/停止DHCP服务sh ip dhcp binding/显示地址分配情况 show ip dhcp conflict/显示地址冲突情况,路由器DHCP服务,Router1#show ip dhcp bindingIP address Hardware address Lease expiration Type172.25.1.51 0100.0103.85e9.87 Apr 10 2003 08:55 PM Automatic172.25.1.52 0100.50da.2a5e.a2 Apr 10 2003 09:00 PM Automatic172.25.1.53 0100.0103.ea1b.ed Apr 10 2003 08:58 PM Automatic,路由器DHCP服务,ACL,1限制网络流量、提高网络性能。2提供对通信流量的控制手段。3提供网络访问的基本安全手段。4在路由器接口处，决定哪种类型的通信流量被转发、哪种类型的通信流量被阻塞。,ACL如何工作,ACL条件顺序,ACL条件顺序,Cisco IOS按照各描述语句在ACL中的顺序，根据各描述语句的判断条件，对数据包进行检查。一旦找到了某一匹配条件，就结束比较过程，不再检查以后的其他条件判断语句。,标准 ACL,标准 ACL（Standard ACL）检查源地址（Checks Source address）允许或拒绝整个协议族（Generally permits or denies entire protocol suite）,OutgoingPacket,fa0/0,S0/0,IncomingPacket,Access List Processes,Permit?,扩展 ACL（Extended ACL）检查源和目的地址（Checks Source and Destination address）通常允许或拒绝特定的协议（Generally permits or denies specific protocols）,OutgoingPacket,Fa0/0,s0/0,IncomingPacket,Access List Processes,Permit?,Protocol,扩展 ACL,用扩展ACL检查数据包,常见端口号,ACL表号,通配符掩码（Wildcard Mask）,1.是一个32比特位的数字字符串2.0表示“检查相应的位”,1表示“不检查（忽略）相应的位”,特殊的通配符掩码,1.Any2.Host172.30.16.29 Host,Access List 命令,Step 1:定义访问控制列表（Define the ACL）,access-list access-list-number permit|deny test conditions,Router(config)#,Router(config)#access,Step 2:将访问控制列表应用到某一接口上（Apply ACL to a Interface）,protocol access-group access-list-number in|out,Router(config-if)#,Access List 命令,Router(config-if)#ip access-group 1 out,仅允许我的网络（Permit my network only）,(implicit deny all-not visible in the list)(access-list 1 deny 0.0.0.0 255.255.255.255)interface ethernet 0ip access-group 1 outinterface ethernet 1ip access-group 1 out,标准IP ACL实例1,E0,S0,E1,Non-,access-list 1 deny 172.16.4.13 0.0.0.0 access-list 1 permit 0.0.0.0 2(implicit deny all)(access-list 1 deny 0.0.0.0 255.255.255.255)interface ethernet 0ip access-group 1 out,标准IP ACL实例2,E0,S0,E1,Non-,拒绝特定的主机（Deny a specific host）,access-list 1 deny 172.16.4.0 access-list 1 permit any(implicit deny all)(access-list 1 deny 0.0.0.0 255.255.255.255)interface ethernet 0ip access-group 1 out,标准IP ACL实例3,E0,S0,E1,Non-,拒绝特定的子网（Deny a specific subnet）,扩展ACL配置,Router(config)#access-list access-list-number permit|deny protocol source source-wildcard operator port destination destination-wildcard operator port established log,access-list 101 deny tcp 0.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20access-list 101 permit ip any any(implicit deny all)(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)interface ethernet 0ip access-group 101 out,拒绝从到的经过E0出方向的FTP流量Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0 允许其他所有的流量Permit all other traffic,扩展ACL实例1,E0,S0,E1,Non-,access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23access-list 101 permit ip any any(implicit deny all)interface ethernet 0ip access-group 101 out,仅拒绝子网172.16.4.0 在E0出方向的流量Deny only Telnet from subnet 172.1 172.16.4.0 6.4.0 out of E0允许其他流量（Permit all other traffic）,实例 2,E0,S0,E1,Non-,标准ACL与扩展ACL比较,标准（Standard）,扩展（Extended）,过滤基于源（Filters Based onSource.）,过滤基于源和目的（Filters Based on Source and destination.）,允许或拒绝整个协议族（Permit or deny entire TCP/IP protocol suite.）,允许或拒绝特定的IP协议或端口（Specifies a specific IP protocol and port number.）,范围（100-199）Range is 100 through 199.,范围（1-99）Range is 1 through 99,命名IP ACL,Router(config)#,ip access-list standard|extended name,IOS11.2 以后支持的特征Feature for Cisco IOS Release 11.2 or later,名字字符串要唯一 Name string must be unique,使用命名IP ACL,permit|deny ip access list test conditions permit|deny ip access list test conditions no permit|deny ip access list test conditions,Router(config std-|ext-nacl)#,允许或拒绝陈述条件前没有表号Permit or deny statements have no prepended number 可以用“NO”命令移去特定的陈述no removes the specific test from the named access list,创建一个扩展的命名访问控制表，拒绝子网络的telnet的数据通过F0端口转发到网络。Ip access-list extended ACL1Deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 23Permit ip any anyInterface Fastethernet 0/0Ip access-group ACL1 out,扩展ACL靠近源Place extended access lists close to the source标准ACL靠近目的Place standard access lists close to the destination,E0,E0,E1,S0,To0,S1,S0,S1,E0,E0,B,A,C,放置ACL,D,wg_ro_a#show ip int e0Ethernet0 is up,line protocol is up Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Feature Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled,验证ACL,监视ACL陈述条件,wg_ro_a#show access-lists Standard IP access list 1Extended IP access list 101 permit tcp host 10.22.22.1 any eq telnet permit tcp host 10.33.33.1 any eq ftp permit tcp host 10.44.44.1 any eq ftp-data,wg_ro_a#show access-lists access-list number,